Creating and Using a Certificate for the CSUpload Tool with Azure IaaS Services

In my posting on using SharePoint up in Azure IaaS services (https://blogs.technet.com/b/speschka/archive/2012/06/17/creating-an-azure-persistent-vm-for-an-isolated-sharepoint-farm.aspx), one of my friends – Mike Taghizadeh, who demands that he be mentioned :-) – noticed that I didn’t have instructions for how to create a certificate and use that with the csupload command line tool. So to help those that may be having the same issue I am going to make a quick run through that process here.

To begin with, really the easiest way to create a certificate that you can use for this purpose is to open the IIS Manager on Windows 7 or Windows Server 2008 or later, and create a self-signed certificate in there. You can find it in IIS Manager by clicking on the server name, then double click on Server Certificates in the middle pane. That shows all of the installed certificates, and in the right task pane you will see an option to Create Self-Signed Certificate…

After you create your certificate you need to export it twice – once with the private key, and once without. The reason you do it twice is because you need to upload the certificate without the private key to Azure. The certificate with the private key needs to be added to your personal certificate store on the computer where you are making your connection to Azure with csupload. When you create the certificate in the IIS Manager it puts the certificate in the machine’s personal store, that’s why you need to export it and add it to your own personal store.

Exporting the certificates is fairly straightforward – just click on it in the IIS Manager then click on the Details tab of the certificate properties and click the Copy to File… button. I’m confident you can use the wizard to figure out how to export it with and without the private key. Once you have the export with the private key (the .pfx file), open the Certificates MMC snap-in and import it into the Personal store for your user account. For the export without the private key, just navigate to the Azure portal and upload it there. You want to click on the Hosted Services, Storage Accounts and CDN link in the bottom left navigation, and then click on the Management Certificates in the top left navigation. Note that if you don’t see these navigation options you are probably viewing the new preview Azure management portal, and you need to switch back to the current Azure management portal. You can do that by hovering over the green PREVIEW button in the top center of the page, then clicking the link to “Take me to the previous portal”.

When you’re in the Management Certificates section you can upload the certificate you exported (the .cer file). What’s nice about doing it this way is that you can also copy the subscription ID and certificate thumbprint right out of the portal. You’ll need both of these when you create the connection string for csupload. If you click on the subscription, or click on the certificate, you’ll see these values in the right info pane in the Azure Management Portal. Once you’ve copied the values out, you can plug them into a connection string for csupload like this:

csupload Set-Connection SubscriptionID=yourSubscriptionID;CertificateThumbprint=yourThumbprint;ServiceManagementEndpoint=https://management.core.windows.net

Once you do that you are good to go and start using csupload. If you get an error message that says: “Cannot access the certificate specified in the connection string. Verify that the certificate is installed and accessible. Cannot find a connection string. ” – that means that the certificate cannot be found in your user’s Personal certificate store. Make sure that you have uploaded the .pfx file into it and try again.